Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Brute Force attack? IMAP Invalid password for user (attempt to access IMAP active users, incorrect passwords)
  •  
havinabubble

Messages: 14
Karma: 1
Send a private message to this user
was nosing around my SECURITY log today and I noticed the following worrying entries Shocked

can someone with better Kerio knowledge explain what appears to be happening on my server, please?

I focused on the fact that they appear to be targeting ACTIVE users, not just random names....over and over.
How would they have narrowed that down from the billions of names you could possibly have on a mail server?

Is there anyway to prevent this failed attempt?
as the IP addresses keep changing.

they seem to have figured out that the Account lockout threshold is about 10
and so try in blocks of 5 or 6 before moving onto the next active user name.

some of the non existent accounts are/where valid mail addresses in the past.

TIA

Version: 9.1.1 (1433)
Operating system: Mac OS X (10.11.6), x86_64




Quote:

[22/May/2017 10:27:39] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:40] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:42] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:43] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:44] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:46] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:47] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:51] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:53] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:54] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:56] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:57] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:27:58] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:28:00] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:28:02] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:28:04] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 10:28:05] SMTP: Authentication attempt from host 103.207.39.169 denied, insecure authentication not allowed.
[22/May/2017 12:36:27] Failed SMTP login from 93.174.93.46 with SASL method CRAM-MD5.
[22/May/2017 15:36:37] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 60.174.198.128.
[22/May/2017 15:37:19] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 117.28.250.42.
[22/May/2017 15:37:43] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 119.160.199.228.
[22/May/2017 15:38:11] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 202.191.228.246.
[22/May/2017 15:38:39] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 221.192.141.2.
[22/May/2017 15:55:24] IMAP: User user3ATmydomain.com doesn't exist. Attempt from IP address 124.164.235.209.
[22/May/2017 15:56:14] IMAP: User user3ATmydomain.com doesn't exist. Attempt from IP address 221.228.229.45.
[22/May/2017 15:57:37] IMAP: User user3ATmydomain.com doesn't exist. Attempt from IP address 58.59.103.230.
[22/May/2017 17:55:13] IMAP: Invalid password for user user4ATmydomain.com Attempt from IP address 213.138.74.85.
[22/May/2017 17:58:08] IMAP: Invalid password for user user4ATmydomain.com Attempt from IP address 58.248.66.53.
[22/May/2017 18:13:19] Failed SMTP login from 212.92.127.112 with SASL method CRAM-MD5.
[22/May/2017 18:48:44] IMAP: Invalid password for user user1ATmydomain.com. Attempt from IP address 60.49.228.161.
[22/May/2017 18:49:32] IMAP: Invalid password for user user1ATmydomain.com. Attempt from IP address 58.218.194.81.
[22/May/2017 18:50:03] IMAP: Invalid password for user user1ATmydomain.com. Attempt from IP address 60.174.192.240.
[22/May/2017 23:36:38] Sophos database has been successfully updated. Sophos Scanning Engine (5.39.13251468/3.66.2.0) is now active.
[23/May/2017 00:27:44] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 113.240.237.10.
[23/May/2017 00:28:07] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 117.243.176.60.
[23/May/2017 00:44:15] Failed SMTP login from 212.92.127.112 with SASL method CRAM-MD5.
[23/May/2017 01:38:17] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 125.32.11.100.
[23/May/2017 01:38:46] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 116.112.103.205.
[23/May/2017 01:39:17] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 221.215.106.218.
[23/May/2017 01:39:43] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 219.148.39.134.
[23/May/2017 01:40:11] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 36.7.113.194.
[23/May/2017 01:40:40] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 37.28.182.173.
[23/May/2017 03:22:20] SMTP: Authentication attempt from host 96.37.64.71 denied, insecure authentication not allowed.
[23/May/2017 05:23:44] IMAP: Invalid password for user user1ATmydomain.com. Attempt from IP address 58.210.212.214.
[23/May/2017 05:30:46] IMAP: Invalid password for user user1ATmydomain.com. Attempt from IP address 218.28.135.178.
[23/May/2017 05:36:44] Sophos database has been successfuluser1ATmydomain.com updated. Sophos Scanning Engine (5.39.13251492/3.66.2.0) is now active.
[23/May/2017 05:36:58] IMAP: Invalid password for user user1ATmydomain.com. Attempt from IP address 183.161.35.38.
[23/May/2017 05:37:27] IMAP: Invalid password for user user1ATmydomain.com. Attempt from IP address 71.13.140.164.
[23/May/2017 06:37:00] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 58.214.25.190.
[23/May/2017 06:37:28] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 202.199.224.253.
[23/May/2017 06:42:57] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 218.108.63.246.
[23/May/2017 06:43:24] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 60.255.181.2.
[23/May/2017 06:43:51] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 78.25.82.10.
[23/May/2017 07:24:32] Failed SMTP login from 212.92.127.112 with SASL method CRAM-MD5.
[23/May/2017 07:25:05] IMAP: Invalid password for user user6ATmydomain.com Attempt from IP address 206.214.0.120.
[23/May/2017 07:25:55] IMAP: Invalid password for user user6ATmydomain.com Attempt from IP address 221.4.61.185.
[23/May/2017 07:26:35] IMAP: Invalid password for user user6ATmydomain.com Attempt from IP address 118.182.213.21.
[23/May/2017 07:27:02] IMAP: Invalid password for user user6ATmydomain.com Attempt from IP address 112.25.188.48.
[23/May/2017 08:43:48] IMAP: Invalid password for user user4ATmydomain.com Attempt from IP address 58.26.113.137.
[23/May/2017 08:44:19] IMAP: Invalid password for user user4ATmydomain.com Attempt from IP address 218.64.165.194.
[23/May/2017 08:44:47] IMAP: Invalid password for user user4ATmydomain.com Attempt from IP address 60.166.60.26.
[23/May/2017 08:45:14] IMAP: Invalid password for user user4ATmydomain.com Attempt from IP address 211.196.252.10.
[23/May/2017 08:45:41] IMAP: Invalid password for user user4ATmydomain.com Attempt from IP address 218.200.15.238.
[23/May/2017 08:57:57] IMAP: User user5ATmydomain.com doesn't exist. Attempt from IP address 94.137.142.49.
[23/May/2017 08:58:24] IMAP: User user5ATmydomain.com doesn't exist. Attempt from IP address 27.235.8.81.
[23/May/2017 08:58:52] IMAP: User user5ATmydomain.com doesn't exist. Attempt from IP address 122.195.155.194.
[23/May/2017 08:59:19] IMAP: User user5ATmydomain.com doesn't exist. Attempt from IP address 125.74.189.200.
[23/May/2017 09:11:49] IMAP: User user5ATmydomain.com doesn't exist. Attempt from IP address 110.52.91.91.
[23/May/2017 11:36:49] Sophos database has been successfully updated. Sophos Scanning Engine (5.39.13251525/3.66.2.0) is now active.
[23/May/2017 14:04:03] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 220.248.203.119.
[23/May/2017 14:04:32] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 183.110.136.150.
[23/May/2017 14:05:01] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 61.190.67.138.
[23/May/2017 14:05:37] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 218.201.83.148.
[23/May/2017 14:06:11] IMAP: Invalid password for user user2ATmydomain.com. Attempt from IP address 175.44.133.210.

[Updated on: Tue, 23 May 2017 17:36]

  •  
Brian (GFI/Kerio)

Messages: 780
Karma: 79
Send a private message to this user
Are those email addresses published anywhere, e.g. on your website?
It seems that those addresses were leaked somehow but there probably isn't anything you can do about it.
Is it possible that those are failed login attempts from legitimate users and their password recently changed?
Make sure you use account lockout and password complexity.

Brian Carmichael
Instructional Content Architect
  •  
havinabubble

Messages: 14
Karma: 1
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 23 May 2017 16:29
Are those email addresses published anywhere, e.g. on your website?
It seems that those addresses were leaked somehow but there probably isn't anything you can do about it.
Is it possible that those are failed login attempts from legitimate users and their password recently changed?
Make sure you use account lockout and password complexity.


they are not and at least two of them are not even people (or mailboxes as it turns out)

however they are very unique to the company (as email addresses)

I initially thought they could be legit fails, but when I reversed the IPs they where China, Korea etc and not places where the users have been working.
The failing IPs are changing all the time

There's also a pattern through the log file...
blocks of Failed SMTP login from X with SASL method CRAM-MD5...Invalid passwords on specific accounts....rejected simultaneous connections

whoever this is has figured out active names and is clearly targeting them regular.

Further back I've spotted tons of failed brute force username with mydomain ...but as time has gone on they seem to have got positive results and narrowed that to the active users

account lockout and password complexity was set....but the more I dig the further back this has been going on for a while Sad


Quote:

[date time] IMAP connection from IP address 94.195.100.134 rejected: too many simultaneous connections (101 connections, limit 100)

[date time] Failed SMTP login from 93.174.93.46 with SASL method CRAM-MD5.

[date time] SMTP: Authentication attempt from host 185.144.82.248 denied, insecure authentication not allowed.

[date time] HTTP/CalDav: User <_at_> doesn't exist. Attempt from IP address 151.228.169.183.

[date time] SMTP: Authentication attempt from host 50.205.16.198 denied, insecure authentication not allowed.

[Updated on: Wed, 24 May 2017 12:32]

  •  
Brian (GFI/Kerio)

Messages: 780
Karma: 79
Send a private message to this user
If your firewall supports GeoIP filtering you can block those countries. Intrusion Prevention may also block them.

Brian Carmichael
Instructional Content Architect
  •  
havinabubble

Messages: 14
Karma: 1
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 23 May 2017 16:29
use account lockout and password complexity.


having read a few other posts in the forum, trying this trick with some success...

I've just reduced my FailedLogins to 2 (from 10) in a bid to knock this bot off course

Quote:
<table name="AntiHammering">
<variable name="FailedLogins">2</variable>
<variable name="CheckTime">60</variable>
<variable name="BlockTime">300</variable>
<variable name="SafeAcl">Local Clients</variable>
</table>
  •  
havinabubble

Messages: 14
Karma: 1
Send a private message to this user
thanks, good suggestion BUT my client is a world wide presence...
and so whenever we've blocked on countries in the past, we've caused chaos Crying or Very Sad
Previous Topic: Kerio Connect & Let's Encrypt
Next Topic: Distributed Domain - Migrate Mailbox to other server
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 05:03:17 CET 2017

Total time taken to generate the page: 0.00399 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.